One ThinkSNS SQL injection (ignoring WAF)

Source: Internet
Author: User
Tags echo d

One ThinkSNS SQL injection (ignoring WAF)

 

Apps/page/Lib/Action/DiyAction. class. php line 192:


public function doCopyTemplate() {$id = intval ( $_POST ['id'] );$page = $_POST ['page'];$channel = $_POST ['channel'];$databaseData = D ( 'Page' )->getPageInfo ( $page, $channel );$result = $this->checkRole ( $databaseData ['manager'], $databaseData );if ($result ['admin']) {echo D ( 'pageTemplate' )->saveCopyAction ( $id, $this->mid, $page, $channel );} else {echo - 1;}}</code>



Get $ _ POST ['channel'] And pass in the getPageInfo function. Let's look at this function:


/*** Return page details * @ param unknown_type $ id * @ param unknown_type $ field * @ return unknown */public function getPageInfo ($ map, $ field = 'id, page_name, domain, canvas, manager, status, guest, seo_title, seo_keywords, seo_description ') {$ data = $ this-> where ($ map)-> field ($ field) -> find (); return $ data ;}</code>



The default value indicates that the second parameter is the field name, and you do not need to consider addslashes.

Let's try. After login, send the following packet:

 



Let's see what statements mysql has executed:
 



As shown in the figure, there are many controllable parts, and we can control all the content after the select statement. No sensitive word select, so WAF is ignored.

There are many other methods in this file, so I will not point them out one by one.

 

To construct a blind note. See the Code:


$databaseData = D ( 'Page' )->getPageInfo ( $page, $channel );$result = $this->checkRole ( $databaseData ['manager'], $databaseData );</code>



$ DatabaseData ['manager'] has passed in the checkRole function. Let's see it:


Private function checkRole ($ user, $ pageInfo) {$ admin = false; $ openDiy = false; $ userModel = model ('usergroup'); $ user = explode (',', $ user); if (in_array ($ this-> mid, $ user) | $ userModel-> isAdmin ($ this-> mid) {$ admin = true ;} else {$ this-> error ('You have no management permission! ');} If (isset ($ _ GET ['diy']) & $ pageInfo ['pagetype ']! = 'LIST') {$ openDiy = true;} $ this-> assign ('opendiy ', $ openDiy); $ this-> assign ('admin', $ admin ); $ result ['admin'] = $ admin; $ result ['opendiy '] = $ openDiy; return $ result;} </code>



If $ this-> mid (your uid) is in $ user, it is passed. Otherwise, "You are not authorized to manage" is displayed ".

Therefore, you can blind Note by displaying "You have no management Permissions.



My $ this-> mid is 2.> 113 "method not found" is displayed ":

 



> 114 "you do not have administrator permissions ":
 



Similarly, to inject a user password, you only need to change user () to password.

Solution:

Filter

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.